For what appears to be only the second time, the Financial Crimes Enforcement Network (“FinCEN”) has assessed a civil money penalty (“CMP”) against an individual for Bank Secrecy Act (“BSA”) violations based on alleged shortcomings of the anti-money laundering (“AML”) program that the individual was charged with overseeing. This enforcement action is a stark reminder to all industry participants that FinCEN takes BSA/AML enforcement seriously, and that the individuals who are responsible for BSA/AML compliance programs, even of large companies, can be held personally liable if the program is legally insufficient.

The Assessment of a Civil Money Penalty (the “CMP Assessment”), which was brought against the former Chief Operational Risk Officer of a bank (the “Bank”), relates to alleged shortcomings of the bank’s compliance program that had previously been addressed by regulators. Specifically, in February 2018, FinCEN, the Office of the Comptroller of the Currency (“OCC”), and the U.S. Department of Justice issued a CMP of $185 million against the Bank for, among other things, failing to comply with its obligations to implement and maintain an effective AML compliance program, and to detect and report certain suspicious activity by filing Suspicious Activity Reports (“SARs”).

As set forth in the CMP Assessment, the most prominent alleged shortcoming of the Bank’s AML compliance program, until 2015, included systems and processes that capped the number of alerts regarding suspicious transactions that were generated, resulting in a number of potentially suspicious transactions not being further investigated or reported through SARs. Additionally, regulators determined that certain money transfers processed as an agent of a licensed money transmitter at the Bank were not included in the monitoring system, that the Bank’s procedures for identifying and addressing high-risk customers were deficient, and that the Bank had an insufficient number of AML compliance personnel.

FinCEN’s decision to pursue, now, the individual allegedly responsible for these shortcomings after they have already been enforced against the Bank is reminiscent of FinCEN’s then‑controversial decision to assess a CMP of $1 million against the former Chief Compliance Officer of a major international money transmitter in 2014. That matter was, ultimately, settled in 2017, and the former compliance officer agreed to a $250,000 penalty. The specific allegations of misconduct against the money transmitter were different from the allegations against the Bank (though also related to alleged AML compliance program failures), but the underlying justification for taking action against an individual is similar. In this regard, when FinCEN entered into the settlement in 2017 with the money transmitter’s compliance officer, it said “despite being presented with various ways to address clearly illicit use of the financial institution, the individual failed to take required actions designed to guard the very system he was charged with protecting, undermining the purposes of the BSA.” In the current case, FinCEN has alleged that the Bank’s Chief Operational Risk Officer “shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner,” and that he “failed to take sufficient action when presented with significant AML program deficiencies.”

According to FinCEN, the Chief Operational Risk Officer held multiple senior positions within the Bank’s AML compliance department and, at times, was responsible for overseeing the Bank’s AML compliance program. FinCEN, therefore, determined that he shared responsibility for the Bank’s failures to establish and implement an adequate AML compliance program and to timely file SARs.

Alleged 2015 AML Compliance Program Shortcomings

According to the CMP Assessment, the Bank knowingly drafted AML policies and procedures that prevented the identification and reporting of certain suspicious activity. Most significantly, the Bank’s automated transaction monitoring system allegedly “capped” the number of alerts generated for review. The Bank also purportedly set limits on two rules that were run against transaction data to identify indicia of potentially suspicious activity. FinCEN alleged that these practices suppressed an “alarming” number of suspicious activity alerts that would have been captured by a risk-based AML compliance program; according to FinCEN’s characterization of a look-back review, thousands of SARs were not timely filed as a result, and some may have involved transactions that laundered money.

FinCEN also alleged that the Bank had inadequate compliance personnel, such that even a limited number of alerts could not be properly reviewed. According to the CMP Assessment, even when the Bank had over $340 billion in assets, it employed only about 30 AML investigators. FinCEN stated that this violated the BSA requirement to provide a compliance officer with the resources necessary to fulfill his or her responsibilities.

Basis for Individual Liability

FinCEN alleged that the Chief Operational Risk Officer was individually responsible for these failures during his tenure with the Bank, which began in 2005 and ended in 2014. The underlying basis for FinCEN’s pursuit of individual liability appears to be FinCEN’s belief that the Chief Operational Risk Officer was on notice of the alleged shortcomings of the Bank’s compliance program and failed to act appropriately to address them.

In particular, the CMP Assessment notes that there was precedent for a regulatory action for BSA/AML compliance program violations, including capping alerts. According to FinCEN, the regulatory action taken against predecessor bank in February 2010 should have been recognized as applicable to the Bank. In addition, the CMP Assessment states that officials at the Bank were warned by the OCC that the alert caps could result in an enforcement action for the Bank, and that FinCEN had previously taken action against other banks for the same activity.

Moreover, the Chief Operational Risk Officer was, according to FinCEN, “advised” by two separate AML officers that the AML transaction monitoring tools were problematic. For example, in 2009, the CMP Assessment details an instance in which an AML officer sent the Chief Operational Risk Officer a memo indicating that an insufficient number of alerts were being investigated. The CMP Assessment also recounts an instance in 2010 in which an AML officer again, allegedly warned that “despite increases in SAR volumes, law enforcement inquiries, and closure recommendations, staffing had remained ‘relatively constant’ and ‘dangerously thin.’” According to FinCEN, even though the Chief Operational Risk Officer “did take certain steps to upgrade the AML Program, including advocating for and receiving funding for the replacement of the system in its entirety, his actions were inadequate to correct the deficiencies.”

Although FinCEN determined that the Chief Operational Risk Officer did try to address the deficiencies, it found that the individual’s efforts were not enough: he “failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role.” The CMP Assessment also states that, by the end of 2012, a new AML Officer identified the practice of capping alerts as a “serious risk” (in the words of the CMP Assessment), and a new Chief Compliance Officer also raised the issue. Furthermore, according to FinCEN, around November 2013, the new AML Officer and Chief Compliance Officer prepared a PowerPoint presentation on the AML program, which identified the capping of alerts. FinCEN stated that the issue of alert caps was first on a list of an “Overview of Significant AML Issues,” because, “from their perspective, it was the most pressing of the Bank’s AML issues.” According to FinCEN, the Chief Operational Risk Officer reviewed the presentation “yet failed to raise the issue of the alert caps with the CEO during the meeting, choosing instead to prioritize other compliance-related issues.”

Finally, FinCEN alleges that in May 2014, the AML Officer bypassed the Chief Operational Risk Officer and emailed the Bank’s then-Chief Risk Officer, outlining steps the AML Officer believed were necessary to correct the alert capping issue, but the Bank still did not begin addressing the issues until June 2014 “when questions from the OCC and reports from an internal complainant caused the Bank’s Chief Risk Officer to retain outside counsel to investigate the Bank’s practices.”

According to FinCEN, the communications and warnings to the Chief Operational Risk Officer were sufficient for him to be responsible—and personally liable—for the Bank’s AML compliance program shortcomings. The CMP Assessment states, the CMP was appropriate “for his role in the violations of the BSA and its implementing regulations.” FinCEN’s actions here should put all BSA/AML compliance program personnel on notice that there can be personal consequences for alleged systemic shortcomings of AML compliance programs.